The European Union is a leader in cybersecurity policy and the Cyber Resilience Act (CRA) represents a major achievement as well as a source of inspiration for many other countries, according to Luis Miguel Vega Fidalgo, International Cybersecurity Policy Coordinator at the European Commission's DG Connect.
Speaking on Wednesday at the Bucharest Cybersecurity Conference (BCC2025), Vega Fidalgo described the CRA as revolutionary, noting that its significance may not yet be fully appreciated. He said the legislation sets out market access conditions for cyber-secure and resilient products, with a scope so broad that it covers virtually all digital and electronic products by imposing cybersecurity requirements.
He explained that the legislation was not created to burden businesses unnecessarily, but was a necessary response to the growing cybersecurity threats. Vega Fidalgo said that these threats are increasingly evident in threat landscape reports and are further intensified by the current geopolitical climate, including hostile activities from certain countries, some of which are geographically close to Romania. He emphasised that the European Union aimed to take the lead in this area and that the CRA stands as a landmark initiative, reinforcing the EU's position as a frontrunner in global cybersecurity policy.
Vega Fidalgo also pointed out that the EU likely has the most advanced legal framework for cybersecurity in the world. He noted that no other country currently has legislation comparable to the CRA, and said the Act is attracting considerable international interest. In many other jurisdictions, he added, cybersecurity measures remain voluntary or apply to only a limited range of products, whereas the CRA imposes mandatory requirements across the board within the EU.
He stressed that the challenge now lies in implementing the legislation effectively, which will require collective effort across all 27 member states. With a single internal market, common standards will apply across the EU for placing products on the market - now including cybersecurity criteria. Vega Fidalgo said this presented an opportunity for open market access rather than being a burden, and urged stakeholders to see the CRA as a gateway to a harmonised European market.
The DG Connect representative also underlined that the European market is open to competition and does not discriminate against any company based on origin. He argued that the EU operates one of the fairest markets globally, with all actors required only to meet essential legal and technical requirements. He added that the CRA had been developed with the particular needs of small and medium-sized enterprises (SMEs) in mind.
According to Vega Fidalgo, the European Commission is working on providing clear guidance on how the legislation should be applied and interpreted. He mentioned that the Commission is also developing technical standards in collaboration with relevant standardisation bodies, to ensure the CRA can be implemented fairly and effectively across the board.
The Cyber Resilience Act was adopted at EU level in October 2024 and will become mandatory for manufacturers starting in December 2027. The regulation sets a minimum level of cybersecurity for connected products sold in the European market.
Manufacturers have a 36-month transition period to bring their products into compliance, with the rules taking full effect from 11 December 2027. From that date, all new products placed on the market must meet the CRA's requirements.
The Act mandates secure product design, protection against vulnerabilities, and support throughout the product's lifecycle - including regular updates and security patches. These requirements apply to all digital products sold in the EU, whether stand-alone or integrated into other systems.
The National Cyber Security Directorate (DNSC), with support from Romania's National Coordination Centre (NCC-RO) and the National Association for Information Systems Security (ANSSI), is organising the 2025 edition of the Bucharest Cybersecurity Conference (BCC2025), taking place from 6 to 9 October.
AGERPRES National News Agency is one of the media partners of the event.
Comentează